Windows Scripting Utilities Net Commands

Home , Convert (command), Netsh, Windows service

Windows Scripting Utilities_net Commands

Table of Contents net Commands ...... 2 net Syntax ...... 3 net Commands -1 ...... 4 net Commands -2 ...... 6 net Commands -3 ...... 7 net config ...... 8 net config workstation ...... 10 net share ...... 11 net view -1 ...... 13 net view -2 ...... 14

IPC$ ...... 15 net use -1 ...... 17 net use -2 ...... 18 net use -3 ...... 21 net use Examples ...... 22 netsh ...... 23 netsh – Command Mode -1 ...... 24 netsh – Command Mode -2 ...... 26 netsh – Command Mode -3 ...... 27 netsh – Command Mode -4 ...... 28 netsh – Batch Mode ...... 30

Notices ...... 32

Page 1 of 32 net Commands

net Commands

Used to update, fix and view basic computer and network settings

Run from the command prompt or in Batch files

Most useful for enumerating user accounts, groups and network shares

**022 Okay. The net commands. These are native to Windows. They're essentially pretty much like admin, administrator tools, used to update, fix and view your basic computer and your network settings and scan. These all run from the command-line interface and therefore you can put them into your Batch file, so that's great. And this says most useful for enumerating the accounts and groups and such, but actually, there's a ton of things this can do, as you'll see here shortly.

Page 2 of 32 net Syntax

net Syntax

To see the list of available options –“net /?”

Help for each net command –“net help command”

**023 So just starting out, if you want to look up what it's NET and something else, NET accounts, NET computer. If you want to see that list, you can do the /?. Yeah, similar to xcopy. But you can also just do NET actually, if you just type NET. It'll do the exact same thing. It'll give you that listing right there. And then if you do the NET HELP, and then you put the actual subtopic or category that you'd like to get more information on, like VIEW in this case, it'll just, it'll give you the usage and it'll also give you a little bit more detail on what the options of the flags might be. And there, as you can see, there are quite a few of

Page 3 of 32 them, and they're very helpful. They're meant to be for the administrator to be able to see things, to be able to adjust things, change things. So very powerful in taking the red/pentester side of me, we can use these for many not so on the up side things to do also, so...

net Commands -1

Many of these require Elevated Permissions to view or modify!

net accounts – update user account database, modify passwords and login requirements

net computer – adds or deletes computers from the domain

net file – display a list of open shared files

net group – add, delete, view groups (only works on Domain Controllers)

**024 Okay. One thing about many of these commands is that you will need elevated privileges to do it because they expect that an administrator's the one who's going to want to stop a process or see a list of maybe group users or something like that. Obviously someone that

Page 4 of 32 has those kind of privileges, so it kind of defaults to that. So if you don't have those, a lot of times if you go back to your work computer back at your office and you try some of these commands, they'll say access denied and you won't be able to get at them, because your privileges aren't high enough. So if you're going to use these, especially in your scripting, make sure that the user account that you are running it from has high enough privileges. Okay?

So accounts. Update user account database, modify passwords and login stuff. Net computer. This has to be with computers on a domain. So if you have a small non-domain, there's no domain controller running it, then this won't help you. It lets you add and delete computers to and from the domain. Net file displays open file shares, which is pretty nice. And net group lets you view groups and lets you add or subtract from that group. But once again, this is, this one only works on domain controllers itself, so you have to do it on a DC.

Page 5 of 32 net Commands -2

net Commands -2

net localgroup – add, delete, view local and network groups

net session – display, delete sessions connected to the computer

net statistics – display network statistics

net time – display time and date of another network computer

**025 So the net localgroup, unlike net group, will work on the local machine. It'll also work on network groups as well, if it is connected to a domain. So you can add and delete. Net session allows you to see all the sessions connected to a particular machine. And also lets you shut it down if you have the privileges to do so.

If you want to look at your network statistics, that's available and there's actual time server. Net time will let you look at what it is. If you're just sitting on a stand-alone, it'll just go no time server, so can't get anything from that.

Page 6 of 32 net Commands -3

net Commands -3

net user – display, create, delete users on the computer or domain

net start – lists running services or start Windows services

net pause – suspend a Windows service

net continue – resume a paused Windows service

net stop – stop a Windows service

**026 So if you're looking to enumerate the users on a machine, like you might if you're pentesting, you can use the net user, and you can also create, if you have enough privileges, and delete.

So net start and net stop. This is for checking services that are running. If you just run net start it'll just show other running services. And if you put a particular service in there and you have the privileges, it will start that service from the command line and the same is true for stopping. Must have the privileges and it'll shut it down for you right from the command line. You can pause it, the

Page 7 of 32 Windows service as well, and of course, continue is just resuming that same service, so...

net config

An extremely valuable net command for displaying configuration information of the local computer Has two options: Workstation or Server • Workstation is the most useful since that service is almost guaranteed to be running on the system. – Great for finding o OS Version o Computer Name o Domain o User name

**027 So net config gives you quite a bit of information, actually. And it says extremely valuable, and that may be extremely valuable to a hacker. In addition to being an administrator. If you're looking for good information on a particular machine, you can use the net config command and you'll see a lot of the configurations. It does have two options. You can put in net config workstation, and it'll give you the information. Actually give you

Page 8 of 32 information about both workstation and server, whether you have a server or not. On the server side it'll say number of connections, and it'll be 0, because obviously no one--or should be 0. Obviously if you're not a server, for the most part, people aren't connecting to you. So that sort of server information will still be available, it'll just show up as 0 or whatever the case is.

So... And like it says, the workstation for this particular command is most likely to be running, so it'll get you that information, the OS version, computer name, domain, and the user name that's logged in.

Page 9 of 32 net config workstation

net config workstation

**028 Okay. So you can see up top net config workstation, and it gives you the information there.

And a lot of this, if you're not an admin and you're not keeping statistics like this, it may be more than what you need. But if you are an admin, you may be very, very interested in this.

Page 10 of 32 net share

net share

Without any options list information about all resources being shared on the computer

Sharename will display further details

**029 So net share. Without any options it'll show you all the resources that are being shared with that computer. So you can see from previous, the nul session connection that we had talked about, the IPC$ share, that is a hidden share. So you see there, there's a C$, a hidden C:/ share, that pretty much mirrors the C drive on your machine. The ADMIN$, also a hidden share for communication.

And then if you're looking for backup share name of backup, it'll go and give you the information about it. Number of users maximum. In this case, there's no limit. So

Page 11 of 32 permissions. FULL, everyone, which is interesting, or everyone, FULL, rather. Which is interesting, because that means they can do anything to that backup.

And again, taking advantage of the error code or a findstr you can use the same. You'll notice most of these use when you complete them successful, the command completed successfully on both of these. So you can use that as input into another port, onto the command. Yes, Chris?

Instructor 2: I was going to add on this, the, you see the permissions, excuse me, that are listed there for the shares. This is really cool for going out and auditing file permission shares. Now, you'd have to go an extra step into this to get the NTFS permissions as well, but if you're just looking for share permissions in a three or four line Batch file, you can actually go grab the shares for all your work stations and do an audit across those permission levels very, very easily. Just using that. You don't need anything else specific or particular in order to do that. There's a lot of functionality exposed by the NET commands that's really good for administrative purposes.

Instructor: Okay. Thank you.

Page 12 of 32 net view -1

net view -1

Displays a list of domains and computers that are being shared by the specified computer

Without any options, it displays a list of computers in your current domain

Must have Admin Permissions

If the computer is a member of a domain, the domain controller will be the last one listed.

**030 Okay. So net view. So this display is a list of domains and computers that are being shared by the specific computer. If you run it without options, it'll show you that list of the current domain. This explicitly must have admin permissions to be able to run this, which makes sense, because to get this kind of information you should have elevated privileges to be able to do that. And again, if it's a member of a domain, the domain controller will be the last one on the list. So that's nice, so you'll be able to figure that out. That's something that perhaps a hacker might want to be interested in.

Page 13 of 32 net view -2

net view -2

net view \\computername /all – will show all the shares and other resources (printers) that are available on computername • Use this to find share on other computers that should or should not be there!

**031 So here's the syntax. You use net view// either computername or ip and then /all would show you all the information that you're looking for. So just like that last line says, this is a tool if you're looking for unauthorized shares that shouldn't be there. You'll be able to enumerate the shares. So that's something to consider if you're doing that.

Page 14 of 32 IPC$

IPC$

Interprocess communication share

Often called the null sessions connection

Used by SMB and NetBios for temporary connections between clients and servers

The $ indicates it is a hidden share. Disabling will break most Windows Server functions that use RPC

Can be used to create unauthenticated connections (Anonymous Credentials)

Can be used to create authenticated sessions for machines outside the domain

**032 So kind of went over this little bit earlier today, the interprocess communication share. It's used by the service message block, SMB, and the NetBios for Windows, for temporary connections between clients and servers. So a lot of times the nul sessions are discouraged, meaning being able to attach with no user and no password. Used to be the default. Now they try to prevent that from happening, but backward compatibility is an issue, so you may not be able to communicate with some computers, if those are not set the same for both. I'll just put it that way.

Page 15 of 32 Course, the $, as I mentioned, denotes a hidden share. And disabling it generally breaks most server functions. And then Anonymous Credentials is what I was saying. You can connect with just the user being blank and the password being blank for the null connection. And you can do authenticated sessions. And this is a key where it says authenticated sessions are authorized for machines outside of the domain. So a pentester might use this because they don't have to be a part of the domain and they can go in and reach out and connect to a machine, if they have some credentials, so...

Page 16 of 32 net use -1

net use -1

Connects or disconnects a computer from a shared resource (share or printer) and can display information about the connections Without any options will display the local computer’s currently mapped resources

**033 Okay. And the net use command that we used earlier. There's another way. If you use it with no options, it'll just give you all the current shared resources that are out there which are connected to.

Page 17 of 32 net use -2

net use -2

net use [\\computername\sharename][password] [/user:username][/persistant:yes|no][/savecred][/delete] [/smartcard]

[\\computername\share] – the resource to connect to, if used without share will connect to IPC$

[password] – use * to be prompted for password

[/user:username] – if not provided, will use the currently logged in user, for domains use domainname\username

[/persistant:yes|no] – yes will restore the connection on next logon, no is the default

**034 And there's quite a few options available when you do the, use the, net use command. It's quite useful, especially for admins, being able to reach out to a box, because you can, once you, if you have the proper credentials, if you're supposed to be there, you can get at a lot of things. You can pull down files, et cetera, without having to worry about how to connect to it and pulling things back. So you have to have the //computername or ip address for that area, the /, the sharename that you're trying to connect to, whether it's the IPC$ or C or whatever it is. You put the password there. If you put an asterisk in where the

Page 18 of 32 password's supposed to be, it'll just prompt you when it runs, and that way you can just have it do the work that way. Or you can actually place the password right in there like we did for the script that we ran earlier, and then /user: and then the username. And so you have the option of making it a persistent connection, so the next time you reboot and come back up it'll try to make that connection again. And as long as the credentials and everything else match, you'll all automatically have that share.

And then it does, the savecred is used with the /persistent to make sure that you keep it, and that /delete, or you can use /d like I did in the script that we had. We were cleaning up after ourselves and we were disconnecting. So you would use the /d. And if you happened to use a smartcard that has the chip on it, you can also use the /smartcard to be able to use the credentials that are on a smartcard, if that's got a connection for it. So that makes that part easier.

So if you don't provide a user at all, it will use your current credentials that you're running this command from, so if you are already privileged enough to use it, you don't even have to put username or password. It'll just use your current credentials and that makes it a little easier if you're administering the network with that.

Page 19 of 32 Instructor 2: Want to comment on that. Administrator on your local laptop is different from administrator on everybody else's laptop, which is different from the domain administrator account. So even though you're using the same name, excuse me, if you're using the integrated authentication by not specifying the username, Windows will know the difference between administrator here, administrator there and domain administrator as well. So sometimes it's best to be very explicit about which administrator or which account you're actually using.

Instructor: Great. Very good. Thank you.

Page 20 of 32 net use -3

net use -3

[/savecred] – stores the password and username provided to connect, used with /persistant

[/delete] – remove a current connection, use * to remove all connections

[/smartcard] – use credentials of an available CAC

**035 Okay. And that's just a continuation of the information that that was on the other one, the savecred, the delete and the smartcard. And if you've not heard of a CAC, a CAC, it's the common access card that the government uses, is the CAC.

Page 21 of 32 net use Examples

net use Examples

net use z: \\server\data * /user:mydomain\joeuser /savecred /p:yes • This will map the share data on server with the account mydomain\joeuser. • It will also prompt me for a password the first time I connect and save it for future use. • The connection will be restored the next time I login. net use z: /delete • Removes the connection that was established above • Will not be restored at reboot

**036 Okay. So when you specify before the server and the data a drive and that drive is available, it will map it to that particular drive for you. So that's kind of nice. You can also put an asterisk there and it will grab the next available drive. But if you want to make sure you know what that share is connected to or what drive it's attached to, then you go ahead and explicitly put the z or whatever letter you'd like.

The star will prompt you again for the password, and in this case the user. If you are on a domain, you want to make sure you put a domain in front of your username. This one

Page 22 of 32 you're saving the credentials to make it persistent.

And once again, this is a cleanup. And even with the--or this will remove the persistent connections as well, if you explicitly do the delete or a /d. So if you do disconnect your connections, if you had it persistent before, don't think that it'll come right back. This will stop that portion of it, it'll remove, if you will, the persistent piece of it, so...

netsh

Network shell

Command-line scripting utility to access many high-level network functions on local or remote computers • Network Interfaces • Windows Firewall • Routing & Remote Access Can be used from the command-line (Command Mode) or as a shell or with scripts (Batch Mode)

**037 Okay, netsh or netshell. This is a CLI scripting utility that gives you a lot of high-level network

Page 23 of 32 functionality. It's good across the network, gives you access to network interfaces. Like it says, Windows firewall routing and remote access capability. So there's I guess, essentially two modes. There's the command-line mode, and then you can actually run it with a Batch using a script.

netsh – Command Mode -1

Functions like a standard command where options are entered on one line Can be used in batch files netsh [context] [sub-context] command • [context] options are the part of the network to access – dhcpclient, firewall, interface, show • [sub-context] usually the action to perform – add, delete, set • command is the details of the action – the ip address, the route, server name Use netsh help or netsh [context] help or netsh [context] list for possible options.

**038 So in command mode, these are all entered right at the command line. The construct for this is context, sub-context and command. It's kind of different, and I'll show you as we get to the example on how that works. It's not quite the same

Page 24 of 32 way you would use, like, netuse or some of the other ones. So netsh has a slightly different format that you have to follow.

So the context piece, you know, like dhclient, firewall, interface, show. Sub-context, usually an action to be performed, like either adding or deleting. And the command is the detail of the action. If you're looking for a specific IP address, a route, a server name. So you can see these aren't quite like semantically what you think they are. Command really shouldn't be the detailed part, or you wouldn't think of that as the detailed part. You would probably think it might be a subcontext or something, and that's kind of what I meant by it's not quite the format that you're used to with the other command. So if you are going to use netshell, it's very powerful, but you, you really kind of have to do your homework before you start using it in your scripts.

And there is netsh help. That'll give you some information.

Page 25 of 32 netsh – Command Mode -2

netsh – Command Mode -2

Use netsh help or netsh [context] help or netsh [context] list for possible options.

**039 So similar to the other. If you do a netsh dhcphelp it gives you exactly what sorts of things you need to put in. It doesn't really explain which ones you need to be putting in as a context or a subcontext or the command, so that part of this help isn't quite as helpful as you might think. So some of it kind of have to do a little bit of trial and error to use it. They do have a list so you can see what all the commands available within, like, dhcp here are. Add server, add securitygroups, et cetera. So it does give you information about what you can do, but it's a little bit, like I said, more difficult to get the syntax right to make it work right.

Page 26 of 32 netsh – Command Mode -3

netsh – Command Mode -3

netsh dhcp show server • Will list the dhcp server the local server is using netsh interface show interface • Will list all the network interfaces netsh interface ip show dnsservers • List the DNS servers for all the connections netsh interface ip set dns name=“Local Area Connection” source=static addr=192.168.0.2 • Set the interface “Local Area Connection” to static DNS

**040 So here's the construct that I was kind of talking about. Netsh dhcp show server. So most of these are pretty straightforward, but sometimes you don't know whether you want to do interface show ip dnsservers. In this case it's supposed to be ip first, interface ip, then show, then dnsservers.

Some of them are redundant but do what they need to do. The interface show interface, you wouldn't think you needed to explain both of those but it's a requirement, so again, you'll have to, if you decide to use this for your scripting, you want to do a little

Page 27 of 32 bit more research and make sure you get the way these constructs work.

And this one here, you're looking at setting the interface, the local area connection, to a static DNS address. So as you can see, that's a pretty powerful thing to be able to do just from the command line. So netsh can be your friend. I just think it'll just take a little bit of research since it's a little bit different than a lot of the commands that we've shown today.

netsh – Command Mode -4

netsh dump interface > c:\IntConfig.dat • Will backup the current interface config to a file • Exports all the interfaces and network settings netsh exec c:\Intconfig.dat • Will restore the current interface config from a file • Restores all the interfaces and network settings Use the –r options to run any of the commands against a remote server – need appropriate permissions! • netsh –r lab-dc-01 –u lab\Administrator –p * dump interface > c:\IntConfig.dat

**041 So you can do backups of current interface configurations to a

Page 28 of 32 file like the top line there. You're redirecting that to a .dat file. So that's something that's a little bit different from just copying or finding a string or whatever. This is more administrative type of work you can do with this tool.

Then you can also restore based on that previous configuration file if you use the exec command along with the netsh. And you can take the configuration and restore a previous copy of it. So that's very powerful as well.

And then the -r option. Run any of the commands against a remote server, but you do need administrator permissions, and that's why it's kind of looking for the user to be administrator and it'll ask you for that password for you to be able to do these. Especially because you're changing, if you're putting the, if you're grabbing interface information from a DC, a domain controller, it's kind of important. You don't want just anybody to be able to do that.

Page 29 of 32 netsh – Batch Mode

netsh – Batch Mode

Functions like an interactive shell • Run netsh with no options, gives a netsh shell prompt Can be fed a text file to execute a series of command, use –r to run against a remote machine • Run netsh exec filename

**042 Okay. And as I said at the beginning of this, there is a second mode. You can do a Batch. So instead of doing it individually at the command line, same thing as Windows Batch and netshell has Batch mode as well and you can just create a text file. And then put your commands that you'd like to have run and then just use the exec and then the filename that has the list of all the commands that you would like to have covered.

Instructor 2: There were two other functions within netsh that I thought worthwhile to bring up here. This only just scratched the surface of

Page 30 of 32 what netsh can do. Netsh really exposes the entire network subsystem within Windows to you. So you can script with it, you can change things with it. If you look at the netsh trace command it actually gives you the ability to do traffic sniffing. So similar to what you can do with wireshark or tcpdump or something like that, you can actually capture network packets and look at them, capture them, with netsh. And then you can export that file and convert it, pull it into, you know, any pcap-compliant packet program. So you actually have a built-in network sniffer in Windows through netsh, which I find really, really cool.

The next one is if you are familiar with Linux and using ssh to do port redirection or remote and local port forwarding, you actually have the exact same capability within Windows through the netsh command to set up port forwarding so that you could, again, if you were using this for evil purposes, you could actually bounce through a Windows box, you know, direct an attack through a Windows box somewhere else, and have it relay that attack for you or relay that traffic for you. So netsh is truly a powerful and probably, I think, underappreciated program, because a lot of that functionality is absolutely buried in there. And so you really got to dig into it. But pretty much anything with the network subsystem in Windows, you've got access to from that one program.

Page 31 of 32 Notices

Notices

© 2015 Carnegie Mellon University This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected]. This material was created in the performance of Federal Government Contract Number FA8721-05-C- 0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data- Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

Page 32 of 32